Skip to main content

bartunek.me

Phishing redirectors

Redirectors for C&C servers are commonly known and used to hide C&C servers. We can apply a similar concept to the phishing sites - host all pages used in red team engagement on one server and redirect traffic from multiple redirectors using different domains. Some benefits: You can host all your phishing sites on one server and point multiple redirectors with phishing domains to that server. You don’t need to log into each VPS to modify or monitor your phishing site.

C# Cobalt Strike stagers

Some time ago, I found an interesting Github repository StageStrike It contains sample C and C# code for Cobalt Strike stagers. In this post, I will use a C# version and add some features - that are useful during engagement - corporate proxy support, connection retries, basic environment keying, and virtual machine detection. How it works? First, let’s see how it works - the idea is pretty simple - the code needs to connect to the staging URL, download data returned by Cobalt Strike listener, and execute downloaded shellcode (preferably everything happens in-memory, without touching a disk to make AV detection harder).

Offensive Go - stager

In this article, I will show you basic stagers for Metasploit Framework written in Go. We will create Windows binary files that will use staging protocol to connect to the MSF listener. The idea behind creating our dropper is pretty simple - we want to avoid detection. Anti Virus software is instantly detecting and blocking default Metasploit stagers. Why Go? Go is a simple and efficient programming language. It has a rich standard library, can be easily cross-compiled for different operating systems and platforms.

Offensive Go - reverse shells

Some time ago, I stumbled upon Hershell a multi-platform reverse shell written in Go. Unfortunately, it was marked as malicious by our corporate antivirus solution. As an exercise, I decided to create my version of the Golang multi-platform reverse-shell based on the Hershell code. There are some features I would like to have: reverse-shell should compile easily for different platforms: Windows, Linux, macOS for both x86 and x64 architectures. The program needs to encrypt data in transit and should have some protection from connecting to any listener.

Basic Nginx configuration

Often during a penetration test, phishing awareness campaign, or red team, I need to set up a webserver to host payloads, phishing websites, etc. This short post is a collection of Nginx configuration directives that I commonly use. Example use cases: redirect HTTP traffic to HTTPS, enable PHP processing, configure a reverse proxy for HTTP(s) or TCP/UDP streams, add or remove HTTP headers in the responses or adding them for upstream servers.

Mirroring a website with wget

Sometimes you want to quickly mirror a web page, maybe to keep an off-line version, download part of the site - for example, documents such as PDF. Another use case is creating a mirror as a base for phishing sites used during red teams or some awareness training campaigns. In such a case, we can quickly download a page with wget - including all stylesheets, images, other media files, etc. wget is a powerful tool - I highly recommend going through its man page.

Spawning interactive TTY from simple shell

So you got a connection from reverse shell and want to upgrade it to a fully interactive TTY? Below you will find a set of commands that you can use to spawn interactive terminal from “dumb” shell to have all features of interactive terminal: tab-completion, access to history with arrow keys, job control, STDERR, ability to use programs like vim, su, login, ssh, etc. The topic isn’t new - it is described multiple times on the internet, however - in this post, I will show you my approach and how to resolve some issues you might encounter.

Escape to shell

This post is a short reference of techniques to spawn a shell from regular Linux / Unix programs or scripting language interpreters. Cheat-sheet is useful for getting out of limited environments or privilege escalation via misconfigured sudo profiles. Please note that not all techniques presented here will work in every restricted environment, so it is up to you to find which methods will suit you best, depending on the situation.

Reverse shell cheat sheet

Often after gaining remote code execution, we want to get some interactive access - instead of issuing a single command or interacting with the web shell. Options are limited to the software installed on the target system unless you can upload your binary. This post contains a collection of reverse shells using different programs, scripting, or programming languages gathered over time. It might be helpful during penetration tests, CTFs, or courses like OSCP.